Add tag for os default dfw section

The OS default firewall section doesn't have tags. To be consistent with other resources created from our plugin, adding tags on this firewall section. Moreover, the cleanup util will clean up backend resources created by our plugin based on the tags. If the resource doesn't have tag, cleanup util cannot clean it up. Also changing the shared tenant-id to use predefined string in nsx_constants for dhcp and port switching profile. Closes-bug: #1519091 Change-Id: Ib6db65b36030e863e1630c118910c168e9ab1a13
2015-12-01 00:18:42 +00:00 · 2015-12-01 00:18:42 +00:00 · ffaf285425
commit ffaf285425
parent 72d72623a9
3 changed files with 12 additions and 3 deletions
--- a/vmware_nsx/common/nsx_constants.py
+++ b/vmware_nsx/common/nsx_constants.py
@ -54,3 +54,6 @@ VIF_TYPE_DVS = 'dvs'

 # NSXv3 L2 Gateway constants
 BRIDGE_ENDPOINT = "BRIDGEENDPOINT"
+
+# NSXv3 tag constants
+SHARED_TAG_TENANT_ID = "neutron-nsx-plugin"
--- a/vmware_nsx/nsxlib/v3/security.py
+++ b/vmware_nsx/nsxlib/v3/security.py
@ -20,12 +20,15 @@ NSX-V3 Plugin security integration module

 from neutron.db import securitygroups_db

+from vmware_nsx.common import nsx_constants
+from vmware_nsx.common import utils
 from vmware_nsx.db import nsx_models
 from vmware_nsx.nsxlib.v3 import dfw_api as firewall


 NSGROUP_CONTAINER = 'NSGroup Container'
 DEFAULT_SECTION = 'OS default section for security-groups'
+DEFAULT_SECTION_TAG_NAME = 'neutron_default_dfw_section'


 def _get_l4_protocol_name(protocol_number):
@ -230,7 +233,10 @@ def _init_default_section(name, description, nsgroup_id):
            break
    else:
        section = firewall.create_empty_section(
-            name, description, [nsgroup_id], [])
+            name, description, [nsgroup_id],
+            utils.build_v3_tags_payload({
+                'id': DEFAULT_SECTION_TAG_NAME,
+                'tenant_id': nsx_constants.SHARED_TAG_TENANT_ID}))
        block_rule = firewall.get_firewall_rule_dict(
            'Block All', action=firewall.DROP)
        # TODO(roeyc): Add additional rules to allow IPV6 NDP.
--- a/vmware_nsx/plugins/nsx_v3/plugin.py
+++ b/vmware_nsx/plugins/nsx_v3/plugin.py
@ -181,7 +181,7 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
                    NSX_V3_DHCP_PROFILE_NAME, 'Neutron DHCP Security Profile',
                    tags=utils.build_v3_tags_payload({
                        'id': NSX_V3_DHCP_PROFILE_NAME,
-                        'tenant_id': 'neutron-nsx-plugin'}))
+                        'tenant_id': nsx_constants.SHARED_TAG_TENANT_ID}))
            return self._get_dhcp_security_profile()

    def _get_dhcp_security_profile(self):
@ -222,7 +222,7 @@ class NsxV3Plugin(addr_pair_db.AllowedAddressPairsMixin,
                whitelist_ports=True, whitelist_switches=False,
                tags=utils.build_v3_tags_payload({
                    'id': NSX_V3_PSEC_PROFILE_NAME,
-                    'tenant_id': 'neutron-nsx-plugin'}))
+                    'tenant_id': nsx_constants.SHARED_TAG_TENANT_ID}))

        return self._get_port_security_profile()